Hi Mike,
Hi Alfred -
A better scheme for threshold signing for the root might be the
Shoup paper: "Practical Threshold Signatures", Victor Shoup (s...@zurich.ibm.com
), IBM Research Paper RZ3121, 4/30/99
The major difference between the two is that the Shamir system
(which you describe) requires the base secret (private key) be
reconstituted (by a trusted entity) before it can be used, where the
Shoup system allows partial signatures with a public gather
function. E.g. In a 3 of 5 system, each of the 3 key share holders
partial-sign the data using their share of the private key and send
it (as public data) to a central location where a gather function is
used to form the actual signature.
I agree that threshold signatures have nice security properties, and
that Shoup's PTS method looks good, especially because its signature-
share generation step does not require any interaction between the
signers.
As you say, the TSS draft lacks the partial-signature capability, but
TSS does have the benefit of simplicity.
Shamir is nice in that it can be used for any set of key bits. But
the reconstitution requirement is a point of weakness where the
actual private key may be compromised. The Shoup system is only
specified for RSA as far as I know.
Shoup's PTS method requires the use of a trusted dealer to generate
the private keys of all of the signers. So while it eliminates the
need for a trusted dealer during the signing step, it does not
eliminate that need entirely. (At least this is the case for the
paper that you cited above; if there is work that eliminates the
trusted dealer, I would be very interested to see it.)
best regards,
David
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
